Modern CPUs Vulnerable to Meltdown and Spectre Attacks
Google Project Zero researcher, Jann Horn, reported two attack methods, Meltdown and Spectre, that can be used to exploit three vulnerabilities (CVE-2017-5754, CVE-2017-5753, and CVE-2017-5715) that exist within nearly all CPUs released since 1995, including processors produced by Intel, AMD and ARM. These vulnerabilities exist due to an optimization technique used by CPUs dubbed “speculative execution,” which allows the processors to preemptively perform computations and prepare the results in the event that data is needed at a future time. If exploited using the Meltdown or Spectre attacks, these vulnerabilities could allow a remote threat actor to steal data from the affected system including, but not limited to, passwords stored in a web browser or password manager, encryption keys, and other sensitive data stored in the memory of a process. This type of data theft can occur because these attacks dissolve the security boundaries that exist between user applications and the operating system – boundaries that are typically enforced by the system’s hardware. Software and hardware vendors are investigating this issue and some have already released security advisories and patches for their products. At the time of this bulletin release, the following companies have published information regarding the vulnerabilities: Amazon AWS, AMD, Android, Chromium, Google, Intel, Linux, Microsoft Windows Server Guidance, Microsoft Windows Client Guidance, Mozilla, NVIDIA, Redhat, andXen. However, Bleeping Computer will be maintaining and updating a list of vendor advisories and notices as new information becomes available. The NJCCIC recommends all users and administrators of affected products apply the appropriate updates as they are released and regularly monitor for vendor updates and mitigation strategies that address this issue.